Header Ads

OWASP, you keep using that word. I do not think it means what you think it means

OWASP, you keep using that word. I do not think it means what you think it means

by avid (OWASP Israel)


Writing this post does not make me happy. I am not proud nor excited to be writing it. However, I am forced to share some bad news that the global infosec community‍ deserves to know. Following is an adapted version of the message I just posted to the OWASP Israel Chapter mailing list (additional facts and refutations are about halfway down).
Up until last week, I was the conference chair for owasp‍'s Global owasp appsec eu‍ Conference. After our proposal won the bidding process in April, as defined by OWASP, our local community was intended to host next year’s appsec‍ Europe 2018, in Tel Aviv. There was a lot of excitement in the global community, and for good reason - we have been spending hundreds of hours planning out a remarkable event, which would have proved to be one of the biggest and most successful AppSecEU’s yet, and would have served as an excellent fundraiser for OWASP’s activities. Both thanks in large part to the local industry and the amazing community here.
Sadly, the OWASP Leadership have made the unprecedented decision to cancel the event.
Even though we had strictly followed all of OWASP’s process, and were well on track to fulfilling all of the organization’s goals for the event at very low risk, they have decided to restart the conference planning and organization in a new location, over half way through the process, instead of hosting AppSec Europe in Tel Aviv with the full support of the local community. Apparently, the OWASP Leadership does not consider Israel (the "cyber capital‍ of the world”) to be an “appropriate” location for a Global AppSec conference.
To be absolutely clear: The OWASP Israel chapter is vehemently opposed to this move, and we do not accept nor agree with the official statement in any way.
This action, moving the conference location without cause halfway through planning, is unprecedented for any community or similar organization. This is a black mark on the OWASP Foundation, and how it conducts itself with the many volunteers worldwide that have been willing, until now, to step forward and invest their time in promoting OWASP and its cause. The Foundation’s claim for transparency‍ has been severely damaged through this terribly political and opaque process, and the misleading statement they have issued.
It should be noted that this decision was made WITHOUT consulting with the local chapter and conference committee, or even gathering the relevant information from us. No one from OWASP Israel was even allowed to provide accurate data on the situation before this vote was finalized. It is simply inconceivable that a responsible organization would allow such a decision to be made without hearing from the people involved. This decision, made without critical information, completely disregards the existing process and rejects the community efforts involved. This course of action makes clear that the decision is not based on facts, planning status, or current estimates, but on personal politics and hidden agendas.
There has been a lot of strategic miscommunication from OWASP Leadership, and even in the public announcement of the move there are numerous statements that are noticeably incorrect. Even the manner in which it was sent, deliberately delaying giving the Conference Team an answer until Friday night while many of us are already away for the weekend or offline for the Jewish Sabbath, and right before the Leadership all leave for weeks of holidays, is illustrative of the type of pseudo-transparent tactics that are being used. (For those of you that are interested, a full accounting of relevant facts and debunking will follow below.)
We want to thank the many volunteer‍s who have donated many hundreds of hours of their time to work relentlessly to make this event happen, and apologize for OWASP Foundation’s shameful behavior. We as a community do appreciate it greatly, and we asked for your help based on the assumption of OWASP Foundation’s good will towards its community, and commitment to advancing its mission. We are shocked by this recent shift in OWASP culture to exclude local communities that are outside the popular centers such as London, and prioritize personal politics‍ and short-term financial gains (no matter how tenuous or imaginary) over long-term community growth and progress in our mission.
We also apologize for OWASP Foundation to those that have already paid for travel arrangements, initiated visa processes, or made other commitments around this once-great event. We do invite you to attend the other fantastic events happening here in Tel Aviv that week, and also our other amazing conferences such as AppSecIL‍ later in the year. I will personally endeavor to make your visit worthwhile. (Serious offer, if you are coming please get in touch with me, and we'll see what we can do :-) )
Though my love for owasp‍ is great (as many who know me can attest), I now have to state that the OWASP Foundation is no longer tenable. A decision has not yet been made as to what sort of relationship we can continue to have. The local Chapter leaders (Or, Ofer, Yossi, Hemed, and myself) are discussing our options, and considering what is best for the future of our community and how we can continue to function as a healthy, vibrant community. We appreciate your feedback, and would love to hear your thoughts below, or via email, Twitter, or whatever.
Regardless of what the OWASP Leadership believes about the AppSec community in israel‍, I have the privilege of being part of one of the strongest, most active OWASP communities in the world. With over 700 people participating in AppSecIL‍ every year, and dozens of AppSec vendors supporting the community both locally and globally, we have substantial influence in global markets.
I call on all of you to let the OWASP Leadership know that this declaration of animosity for the local community is unacceptable. Though this pains me greatly, I would like everyone’s help with sharing this, especially to those that are planning on attending or speaking at owasp appsec eu‍.
For those companies that usually support or sponsor OWASP Foundation and AppSec conferences, I call on you to continueto support the OWASP communities and its mission – but support the local chapters that are actually doing the work, the projects that are building tools to help in our mission, and all the amazing volunteers around the world who bring their passion to our cause. Do not continue to prop up a toxic organization that sabotages its community and deals in bad faith with its volunteers.
And to all the other fantastic communities, chapters, and projects that are so dedicated to our shared cause of bringing application security‍ to everyone – “making software security‍ visible” – I would recommend you consider this as a cautionary tale, and review your commitment and obligations towards an organization that is willing to throw its volunteers off a cliff for personal reasons and imaginary dollars (or euros). Dedicate yourself to your community, whether local or global, instead of the toxic Foundation that measures the worth of your community based on how many dollars can be collected from your members, and not their actual contributions. Ensure your community can survive – and thrive – despite sabotage from the very people that should be most supporting you. And while OWASP absolutely requires plenty of funds to operate, remember that it is the many wonderful volunteers that get stuff done and achieve our mission. The dollars and euros are the nuts and bolts in the vehicle, but it is the community that is it’s engine.
Here in Israel, we have just finished celebrating the Jewish holiday of Hannukah, the Festival of Lights. This is a time of rededication. A time to bring light unto darkness, to rise up in the face of adversity, and grow stronger together. I do not know what our community will look like in the future, but I am proud to a part of it.
Claims and Facts
You can listen to the recording of the Board of Directors’ meeting here, starting at around 58 minutes in: https://drive.google.com/open?id=1i2zdQ6QVFoWh06TBuJy2Zo5bvp9M50zJ . Feel free to draw your own conclusions, but many incorrect statements and misrepresented facts were the basis for this decision. Following are some of the more egregious claims made, and repeated in the public announcement.
These are ostensibly the reasoning behind this reprehensible action, but they are easily debunked. In fact, after having been informed just a few days ago that this decision was taken without our knowledge, we eagerly provided the OWASP Leadership with corrections to the incorrect statements, and summarized all additional relevant information that was already readily available to them. And yet the Leadership has apparently decided to continue to pursue this course of action, irrelevant of the facts. (Although some new "concerns" have been floated for the purpose of the public announcement, despite not being mentioned earlier, to take the place of the ones that were refuted after the BoD meeting).
Here they are:
  • “We don’t have a venue yet!” 
    The venue had been selected when we submitted our proposal, when we won the bid to host the conference. This was officially announced back in May. The details had been worked out and negotiated months ago; a prepared contract was sitting for weeks awaiting signature by the OWASP financial team.
  • “Competing free events taking place during the same week” 
    This has been touted several times, referring to different things. It is hard to understand what they are referring to, since either way this is such an illusory conflict.
    • cyberweek‍ and bsidestlv‍ are occurring the same week, and planned accordingly so as to not conflict. In fact we were collaborating with their organizers so as to increase attendance due to their cooperation.
    • AppSecIL‍, as mentioned in the BoD meeting, is in a completely different timeframe (it usually takes place 4 or 5 months later). While it is a free conference, this is by no means any form of competition; in fact we were discussing with OWASP staff how to best unify these events. 
  • “Attendance from the international community”
    It is really hard to debunk this one way or the other, since we hadn’t opened registration yet, but it is curious what they are basing this on. However by all indications, such as other past events and buzz in the international community, this event would most likely have drawn larger numbers of international attendees than usual. The only explanation for this claim (other than transparent excuse) is the expectation that there are many anti-Israel advocates in the OWASP community and we need to cater to them, but they would stay away in droves. (The dozens of excited messages we’ve received from people anticipating coming from all over the world, even including countries with apparent animosity towards Israel, seems to prove otherwise.) 
  • “Participation from the regional community”, “The local team has informed OWASP that a combination of economic challenges locally”
    Patently untrue, however the new Leadership had unreasonable expectations of 80% of attendees being local (in the past it has been consistently around 20%). And while we informed them of no such thing, the local team did mention that we should not be expecting 80% local attendance. In addition we pointed out that most of the local attendees would have their tickets paid for by their work, and relatively few would be paying individually out of pocket. The staff had also suggested small local discounts for active participants in the community. Honestly not quite sure how this got twisted around to “unlikely participation”. 
  • “The level of expected sponsorships”
    While we had not yet started accepting sponsorships (due to waiting for contract signatures), we did have several vendors lined up that were eagerly waiting to be able to sign up. By all reasonable expectations, we would have done very well, likely surpassing previous AppSecEU sponsorship sales. 
  • “Present too significant a risk to AppSec Europe”
    This is clearly disingenuous, as uprooting the conference halfway through preparations and dropping the team that has been working on it would be infinitely more risky. In fact, the only significant external risk to AppSec Europe was the rogue Summit that was irresponsibly scheduled for just two weeks before the conference – and as the Board have repeatedly Decided, was an unauthorized event and not permitted to use the OWASP branding or budget. (The BoD recording above continues this discussion, just after the AppSecEU topic. Very interesting to listen to.) 
    Yes, dear reader, in case you are wondering, this “unauthorized” Rogue Summit is the very same one that is being merged with AppSecEU. 
    It IS a transparent process, after all. 
  • “Financial challenges” 
    This was a very general and vague “concern”, without raising any actual issues or sharing figures to back this up. While London as a corporate conference venue is always very popular and profitable, uprooting the conference and airdropping it in on London with only a few months of planning is inherently risky and unlikely to be successful, financially or otherwise – especially as it is scheduled to conflict with InfoSec and BSides London. On the other hand, the original plan was meticulously calculated to account for all likely eventualities, and as mentioned collaboration with CyberWeek/BSidesTLV would ensure we surpass our original goals. Conservatively, we would have produced a profit well in excess of 100K Euro.
These dubious claims were the basis for such an unparalleled move. These are the facts as they are. Feel free to draw your own conclusions as to the personal reasons behind the Leadership’s decision.
Now, in the interest of genuine transparency‍, here are some more of the details shared with the Leadership during this fiasco:
  • Since it has been subtly implied, over and over again, that Israel is far removed from the rest of Europe – it should be noted Israel is very easy to reach from the rest of Europe. With direct flights and connections from most major cities (e.g. 2 hours from Athens, 3 hours from Budapest, 3.5 hours from Rome, 4 hours from Berlin, 4 hours from Moscow, 4.5 hours from Paris, 5 hours from London) – it is slightly further than London from Western Europe, but slightly closer for Southern and Eastern Europe. 
    It is even reasonable for near-Asian countries, such as Turkey, Iraq, and India (a sample of countries from which several people have reached out to enthusiastically tell us they intend to come).
    This would have been particularly important if we did not want the conference to devolve to a UK-centered event, as this is the 3rd time there in 5 years (Cambridge in 2014, Belfast in 2017, and again in London in 2018). Clearly, the Leadership is making their intentions apparent. 
  • Likewise, tourists travelling on an EU or UK passport do not need a visa to enter Israel. For most of the non-EU/UK/US countries (and including several East-European countries), it is actually much easier to enter Israel than the UK. Tourists and non-Israeli-residents are even exempt from paying VAT in Israel. 
  • Israel has hosted many successful European conferences: from the 24th Eurovision International Song Contest in 1979 all the way to the 6th Symposium of the European Association for Research in Transportation in 2017, countless cultural, artistic, scientific and technological events have been organized in Israel. More relevant, Israel is represented in the European Cyber Security Organisation (ECSO) and in the H2020 European Security Research Map (SeReMa)
  • Pursuant to this, Israel has hosted a very successful European summit for ISACA‍ (Information Systems Audit and Control Association) in 2013, and more recently the CISO‍ summit for CENTR (Council of European National Top Level Domain Registries).
  • Security and cyber conferences in Israel are always heavily attended from abroad, such as last year’s CyberWeek conference (with whom we are collaborating this year), hosted by Tel Aviv University, which had over 6,000 attendees from over 50 countries. The CyberTech conference in Tel Aviv this year had 13,500 attendees, from 67 countries. 
  • The purposeful delaying of the contract with the venue has already been mentioned, but other such contracts were similarly delayed. 
  • For example, we had admittedly not done enough marketing, other than via our own social networks. Though there was already plenty of buzz and excitement, we did not have a proper marketing plan. While this could have been a cause for concern, it was due in large part to not having signed with the marketing company yet. 
  • Similarly, the Call for Papers and Call for Trainings were not yet as active as we would have liked, again due to purposeful lack of publication and marketing. 
  • However we did already have three amazing keynote speakers confirmed, and were finalizing with a fourth. Although I do not know if they would be interested in participating in the new arrangement. 
  • I want to point out again that this whole story played out behind our backs, with no communication with the local team whatsoever, despite the Leadership’s claims to the contrary. The first we heard of it being discussed was 2 days after the BoD meeting, informing us that they had already decided to move. In fact, so-called “concerns” had been discussed with the staff, but we offered effective solutions for any real problems and de-risked any such concerns, in a manner which met with their full agreement at the time. As it turns out, that discussion was moot, since the decision to move had already been made “unofficially”.
Further, it is worth noting that the motion as voted on by the Board of Directors was as follows (emphasis mine):
The board recognizes that there are significant issues with running the AppSecEU event and empowers our new ED to review, with input from the community, whether it is still the best location for the event and determine if the event needs to be moved elsewhere.
However, the community input has been ignored, thus it is very easy to assume the unanimous agreement meant “it SHOULD be moved”, rather than “determine whether or not it is still viable to do in Israel”. Based on the input, the determination would clearly be that Tel Aviv is a legitimate venue and the best location at this point, and to empower a strong conference there. But it is impossible to make an honest determination, whilst willfully ignoring the facts.
On a personal note: my adoration for OWASP was never rooted in the bylaws, the terrific projects (or the many failed ones), or even the logo (which I displayed proudly, on my bag, my computer, even on my head). For me it was always about the community, and what our community is capable of achieving together. Today, that community was forced to take several steps backwards. And yet it is an incredibly strong community, and I believe we will be able to thrive, whether with the Foundation or without. I truly hope the incoming Board will realize the error in their ways, and recommit themselves to serving the community, with new executive leadership‍ that understands that the very essence of OWASP is it’s community – and that community‍ must come first.



No comments